- From: Michiel Leenaars <michiel.ml@nlnet.nl>
- Date: Thu, 14 May 2020 17:52:45 +0200
- To: <ietf-http-wg@w3.org>
Hi James, >> This means that a secure transport layer must be used, like >> TLS. The termination of such a secure layer MUST also >> terminate any ongoing SASL handshakes. > > Isn't this incompatible with use cases where TLS termination is > separated from the processing of the HTTP request such is common > in CDNs, or where a trusted proxy is involved? arguably, resources fetched from a public CDN are (or should be) exclusively static assets, which of course can be used in an authenticated session but are not part of it. TLS can be provided for integrity, but not for confidentiality. Since a CDN is essentially a cache with man-in-the-middle capabilities allowing to observe all the traffic that passes by, it cannot be end-to-end secure in the actual sense of the word and should not be used as such. So I do not see an incompatibility... Best, Michiel Leenaars NLnet Foundation
Received on Thursday, 14 May 2020 15:59:08 UTC